Ask a Question

Issue:
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).

Products:
PowerChute Network Shutdown

Environment:
All Support OS

Cause:

Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”

Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:

V3.0.x – DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.

V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.

Solution:

PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v4.0.0, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.

V2.2.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer – v2.2.x will automatically detect and use Java 8.

V3.0.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer and select the Public JRE option.

V4.0.0 has Java 8 bundled as a private JRE.

Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):

Stop the PowerChute service.

In the folder where Java is installed open “lib\security\java.security” using a text editor.

Scroll to the end of the file and locate the line “jdk.tls.disabledAlgorithms=SSLv3” – set this to “jdk.tls.disabledAlgorithms=SSLv3,DH”

Save the file and re-start the PowerChute service.

Adding “DH”, as outlined in step 3 above, removes support for DHE cipher suites and forces connections to PowerChute using ECDHE cipher suites. Elliptic-Curve Diffie-Hellman (ECDH) key exchange is not vulnerable to the Logjam attack.